MDVSA-2013:301

Problembeschreibung

A vulnerability has been discovered and corrected in mozilla NSS:

Google notified Mozilla that an intermediate certificate, which
chains up to a root included in Mozillas root store, was loaded into
a man-in-the-middle (MITM) traffic management device. This certificate
was issued by Agence nationale de la scurit des systmes d'information
(ANSSI), an agency of the French government and a certificate authority
in Mozilla's root program. A subordinate certificate authority of
ANSSI mis-issued an intermediate certificate that they installed on a
network monitoring device, which enabled the device to act as a MITM
proxy performing traffic management of domain names or IP addresses
that the certificate holder did not own or control.

The issue was not specific to Firefox but there was evidence that one
of the certificates was used for MITM traffic management of domain
names that the customer did not legitimately own or control. This
issue was resolved by revoking trust in the intermediate used by the
sub-CA to issue the certificate for the MITM device.

The NSS packages has been upgraded to the 3.15.3.1 version which is
unaffected by this security flaw.

Additionally the rootcerts packages has been upgraded with the latest
certdata.txt file as of 2013/12/04 from mozilla.